Expanding on the concept of Rational Deterrence and its effect on crime, we have published a research brief on Deterrence Theory and Its Effect on CyberCrime. The brief outlines the failing strategy of compelling companies to prevent breaches without deterring those who commit the crimes. You download the brief (all 25 pages) here. Below is a short excerpt:

“At RSA’s annual security convention, the head of the Federal Bureau of Investigation, Mr. Robert Mueller stated, on February 28th, 2012, ominously: “There are only two types of companies. Those that have been hacked and those that will be.”[1] At the same event, the CEO of RSA, told the audience: “Our networks will be penetrated. We should no longer be surprised by this.” He further stated: “The reality today is that we are in an arms race with our adversaries, and right now, more often than not, they are winning.”[2] The comments, while accurate, are late in coming. RSA, one of the worlds’ largest security vendors, was breached in 2011. The breach was more than a simple theft of customer data. The breach was a theft of intellectual property that compromised the infrastructure of RSA’s 2-factor authentication system known as SecureID. This potentially exposed thousands (if not more) of companies to a bypass of their own access control mechanism.

RSA’s CEO then continued:

“Online security has traditionally been about building the biggest, fiercest defenses possible to keep attackers out. That’s not enough. Now, you have to assume you’ve been compromised, and invest just as heavily in detection.” He continues: “We need to tap more military experience and military intelligence experience,” Coviello said. “The new breed of analysts I’m talking about need to be offensive in their mindset.” (emphasis added)[3]

As any student of foreign affair or military strategy can attest, adopting a more military type experience and offensive mindset is not possible without adopting one of the primary tools of the military and US defense strategy; deterrence.

Unfortunately for companies on the receiving end of an attack, it is neither legal nor ethical for businesses to adopt an offensive deterrence strategy against cyber criminals. This leaves companies without one of the primary tools of crime prevention, and defense. The lack of a deterrent threat can be seen as a major reason that cybercrimes continue to increase seemingly unabated.”